Would You Be a Human Sacrifice for $2 Million a Year?

Jul 23 Would You Be a Human Sacrifice for $2 Million a Year?

A plotline in bad (okay really bad) movies, books and TV is the one about the uncharted South Sea island where one person each year is honored by being sacrificed to the volcano god. Kind of an extreme form of taking your boss out to lunch on his/her birthday. Anyway, for a full year before being tossed into the volcano…er…happily jumping in… the sacrificee* is treated to every pleasure the island can provide.

*FYI the added “e” was intentional.

Sacrifice with perks

The job description of the person being sacrificed has a lot of similarities to the job description of chief information security officer (CISO). Well, it does if you add soccer goalie and baseball manager to the mix. There’s an old saying that baseball managers are hired to be fired and one mistake by a goalie can negate all the saves that he/she racked up in the previous minutes. As David Jordan, the chief information security officer for Arlington County, Virginia put it, “We’re like sheep waiting to be slaughtered. We all know what our fate is when there’s a significant breach.” The good news is that while they’re waiting, they’re well treated. According to one study, CISO signing bonuses and salaries range from $188,000 to $1.2 million with perks like working from home, lots of time off and promises of big budgets for staff and security software.

In Nicole Perlroth’s piece on nytimes.com (find the complete article at this link.), she discusses the lot of the CISO from high stakes decisions to getting burned at the stake. The following has been excerpted from her piece and edited to fit our format:

[Toughest job in business world]

Chief information security officers have one of the toughest jobs in the business world: They must stay one step ahead of criminal masterminds in Moscow and military hackers in Shanghai, check off a growing list of compliance boxes and keep close tabs on leaky vendors and reckless employees who upload sensitive data to Dropbox accounts and unlocked iPhones.

They must be skilled in crisis management and communications, and expert in the most sophisticated technology….

[Always right]

“We have to be correct 100 percent of the time,” said Tom Kellermann, the chief information security officer at Trend Micro, a security firm. Cybercriminals, he said, “must be correct once.”

A decade ago, few organizations had a dedicated chief information security officer, or CISO (pronounced SEE-so), as they are known. Now, more than half of corporations with 1,000 or more employees have a full- or part-time executive in the post, according to a study conducted last year by the Ponemon Institute, a research firm.

Many of the chief information security officers who took part in the Ponemon study rated their position as the most difficult in the organization. Most of those questioned said their job was a bad one, or the worst job they have ever had.

[Forced out]

Beth Jacobs, who oversaw Target’s data protection, among other duties, was forced to resign….Stephen Fletcher, who supervised data security for the State of Utah, resigned after a breach two years ago revealed the personal data of 780,000 Medicaid recipients. In January, Justin Somaini, Yahoo’s chief information security officer, left his post shortly before the company acknowledged a breach of some customers’ newly revamped email accounts.

The job is so pressured that many end up leaving — voluntarily or not — after two years, according to the Ponemon study. This compared with chief executives, who stick around for 10 years on average, according to other research.

[Whom/what do you trust?]

Of all the headaches that chief information security officers face, one of the biggest is figuring out which security products to trust.

“In the old days, there was a saying, ‘Nobody ever got fired for buying IBM,’ because you could trust IBM,” said Andrew Caspersen, a former chief information security officer at Charles Schwab. “But security firms have never been able to establish that level of credibility.”

What is more, while many information security officers agree that antivirus software, a traditional form of protection, fails to defend against modern-day threats, some say newer products are not much better.

[Layered defense]

They say there is no silver bullet when it comes to breach defense. It is a matter of layering the most effective technologies, hiring the best people, then hoping for good luck.